"It can require disclosure of relationship, medical and other detailed personal information. Holding that information on systems that comply with Government information security standards is a critical protection for the people concerned," she says.

"It is also important for national security that sensitive information about people in the intelligence and defence sectors is kept safe from external access and exploitation."

Ms Gwyn acknowledged work had been done over the past 18 months to make the systems more secure.

But while some steps were taken to secure the systems when they were first introduced, the compliance programme was needed to make sure it met the required standards.

The SIS director has accepted the report's recommendations, which include avoiding the same thing happening again with new systems and better internal controls of data access.

The report's release was delayed by "significant and continuing disruption" to the Inspector-General's office following the Kaikoura earthquake in November.

The routine review, which is required in law, started in January 2015, with the first part released in April last year.